The Rumour That Someone Tried To Steal The Zelda: Breath Of The Wild E3 Demo

Not long after this year's E3 showfloor opened up for exhibitors, the internet started gossiping about a hacker who was supposedly trying to pilfer the impressive Zelda: Breath of the Wild demo from right under Nintendo's nose. For some sceptics, it sounded too incredible to be true.
Illustration: Sam Woolley

How could someone possibly steal a demo from a kiosk that is presumably under a proverbial lock and key? Never mind the many fans hovering around the demo area, or the Nintendo representatives walking around the booth. This doesn't exactly look like the ideal place to swing a heist:

Since then, the internet has developed a culture of showboating on social media, especially in regards to hacking. Anybody can go online and say that they are X or they did Y, and it's often impossible to verify whether or not the boasts are true. Unsurprisingly, once the initial report of a potential hacker trying to steal the Zelda demo made the rounds, there were a number of people on the internet also claiming to attempt it. It is unclear whether or not the initial reported attempt inspired cry-wolf copycats, or if indeed multiple people had the same idea at the same time. Undoubtedly, some people are just bullshitting about trying to nab the Zelda demo.

Amidst all this, I found that the most famous Nintendo hacker of all,NWPlayer123, kept alleging that the rumours of an attempted Zelda demo heist were actually legit. NWPlayer123 confirmed to me that someone was trying to take the demo from E3, and she knew this because she was somewhat involved from the sidelines. Thing is, NWPlayer123 has a reputation online, and it's pretty solid. She is known for leaking the info of Splatoon's DLC before Nintendo announced it, even hacking the game so that Octolings could be playable. She has also datamined Super Smash Bros., along with other Wii U games. So when NWPlayer123 says someone attempted to take the E3 demo, I'm inclined to believe the rumour could be possible.

To be more specific, that someone was allegedly a 17-year-old game developer known for hacking Mario Kart 8. The hacker spoke to me over email, and told me about what he (supposedly) tried to do with the Zelda demo. As proof of his attendance, the hacker shared an image of his lanyard with Kotaku -- though really, that could easily be faked. I did however see that the hacker was tweeting about attending E3 before the actual event started, and, in early June, even asked his followers if anybody would be willing to help him distract Nintendo attendants so that he could steal the demo.

According to the hacker, he didn't need access to the physical Wii U unit, beyond being able to use the system's tablet controller. "The Wii U hacking community has tools and resources to grab the game over the network as it is being played," the hacker said. I found one online tool that can be used to copy the data of any software running on a Wii U. Another debugging tool, known as TCP Gecko, can make a Wii U connect to a PC, where the user can then instruct the Wii U to take specific commands. Once a hacker starts "dumping" the data of the Wii U, finishing the job might take a couple of hours over a network.

During that time, the game itself might slow down, but so long as the hacker stays within network range, the dump could continue to process. As evidence, the hacker shared a video with me where he copied Mario Kart 8 to a computer while continuing to play the game.

I spoke to TCPGecko's creator, A.W. Chadwick -- who was not involved with the alleged theft attempts -- and he told me that, theoretically speaking at least, taking a demo using his software was indeed possible. To do it, someone would need to use an exploit done via the Wii U's internet browser.

"The user would navigate to a special webpage which tricks the Wii U into running code not developed by Nintendo (we call this arbitrary code execution (ACE))," Chadwick said. "Once the user has achieved ACE, they can then cause the Wii U to do almost anything they would like it to." That anything, he said, could include telling the system to dump its files onto a network.

Chadwick's tool was not created for the purpose of stealing software, nor does he endorse this type of usage of his program. "Like most tools however, my tools can be used for both good and bad purposes," Chadwick said. At the moment, the top Google results for TCP Gecko involve game cheats, or game modification.

The hacker says that he went into the Zelda booth on day one of E3 and noticed that the Wii Us showcasing the game were not retail units. This immediately put a wrinkle on his plan, because the program he wanted to use was not created to interface with Wii U kiosks, or development units. So, he and a few buddies regrouped and rewrote the program. Timeline-wise, this seems to hold up: A few days ago, the hacker uploaded a modification of the exploit to Github, and the description claims that the program was tweaked to work with development units.

"Having to code stuff last minute was a sort of stressing ideal [sic]," the hacker said. "Mainly [because] you never know how long or how much testing one might need to do before it works, and [there being] a very strict timeframe made the situation worse."

The hacker says he returned to the Zelda booth on E3 day two, ready to put his plan into action. As the hacker tells it, the security at the Zelda booth wasn't that bad, and that the crowds inadvertently helped him cover up that he "enter[ed] and exit[ed] the [configuration tools] in under 30 seconds". This aspect of the story raises my suspicion a bit, but it's actually not the thing that poses the biggest logistical problem for a theoretical demo theft. The Wii U's connection to the internet is the factor that would make or break a heist.

The hacker says that the units were not originally connected to the internet, which makes sense, considering that would make the Wii U vulnerable to anybody with hacking know-how. However, the hacker says that he used knowledge of leaked Wii U development tools, which are available online, to navigate around a non-retail unit's restrictions -- like the inability to go to the home menu during a demo. The hacker says that he used a specific combination of button presses to enter the Wii U's system config tool, where he could manipulate the console's network settings to force the console online. From there, it was just a matter of running the internet browser exploit without getting caught. Easier said than done, especially given the fact that Nintendo was cycling people through its Zelda booth throughout the day.

The hacker says he then ran into another snag: TCP Gecko did not copy the right files. The hacker alleges that he was then forced to seek the help of a friend, NWPlayer123, who could perhaps tweak the program. Indeed, the last update to this other program on Github was uploaded just a few days ago, but the hacker says that it was not completed in time to grab Zelda that same day. At that point, the hacker's window to steal the Zelda demo was closing. With Friday coming up, it would be the last chance he would have to take the Zelda demo.

"Having all the setbacks gave a sort of disappointing but also a sort of thrill like essence feeling, it showed a level of excitement due to the fact we all had to race against the clock," the hacker said.

For all of the hacker's scheming, he says that his final attempt did not go as planned.

"On Day 3 I... arrived at the convention centre at 10:15 am, just 15 minutes after they opened the show floor, but by that time, they already have closed the line to play the demo as it was full," the hacker said. An anticlimatic end to a heist that would have been legendary. And yet, super convenient, no? The hacker and his pals can gain infamy just for "trying" and spreading the story of their attempt.

I spoke to a Wii U third party developer, Thomas Hopper, to verify some details about the hacker's tale. According to Hopper, his development unit does not have any magic key combinations to launch a config tool. However, the Wii U has more than one kind of development unit, and they don't all work in the exact same way.

"If you were blocking the home menu in your demo to [the] public on a devkit-light style unit the developer might have a key combination to get access to the home menu or a debug menu," Hopper speculated. While Hopper remained somewhat sceptical that the hacker's specific button combination could bring a unit to display configuration tools, he does admit that the hacker's tale is not entirely out of the question.

"They clearly have had access to a devkit at some point," Hopper said, after I shared the specifics of what the hacker allegedly attempted. "If you could somehow launch the system config tool you really could reconfigure the network settings."

The creator of TCP Gecko agrees that, hypothetically speaking, the hacker's story does seem believable. "I can't say for certain it is the case, but it seems quite plausible... my gut reaction is that there is no reason at a technical level to disbelieve what they have posted."

The hacker could not share any images or proof that he managed to fiddle with the Wii U kiosks at E3, but I can see that there was back and forth between him and other Wii U hackers on Twitter, where he was asking for help rewriting programs for the Wii U. I can also see that he was publicly troubleshooting some of the issues he came across on Twitter as well. Additionally, other hackers posted updates on their program tweaks around the same timeline that the hacker proposed. If the Zelda heist is a lie, it seems to be a well-coordinated one spanning multiple hackers, some of which are famed for knowing their shit. Maintaining a front like that could have been achieved through simpler terms, like just telling people that they tried and failed. Instead, these people went through the trouble of uploading actual program tweaks that could potentially jeopardise their reputation as ~elite hackerz~. Reputation is the only thing these hackers have to gain here, really.

The Goron in the room is this: Why go through all this trouble to break the law?

The hacker's motivations are arguably mischievous, given that he wanted to pirate the demo so that fans could play it. "It's an E3 demo and [there is] always unused content to see, not to mention it would be nice to play the game months early before its expected release," the hacker said. "Even though the end result was negative, I still find it to be completely worth it because why not risk chances in life?"

Others involved seemed to have more innocent intentions: NWPlayer123 tweeted that she was only really interested in the music files. Which, sure. Breath of the Wild's low-key tracks are pretty dope from what I've heard so far.

Kotaku cannot fully confirm whether or not the attempted Zelda heist of 2016 actually happened, and Nintendo told us that they have no comment on the situation. It could be that these hackers are just pulling a fast one on all of us. At the very least, it's wild to think that thanks to the advances in the Wii U hacking scene, a Zelda heist is even conceivable in the first place.

WATCH MORE: Nintendo News

Comments

I get that Kotaku likes to thumb the nose at the corporate video game news cycle but this a bit beyond the pail. Maybe hit up the bloke who stole paperclips from the stationery cupboard at Xbox Australia next.

Again, I disagree. This isn't a loophole that anyone can use at any time - and in fact, by publishing the details, it's even more likely that Nintendo can secure their systems to prevent a similar attempt from occurring in the future.

I mean, anyone that has the technical expertise to perform this kind of theft isn't going to need a guide from Kotaku in order to do it.

How is reporting on the successful lifting of a game demo right in the middle of a conference at all the same thing as directly leading to piracy? Next thing you'll be telling me that story of a truckload of games and amiibo being stolen shouldn't have been reported on because it would have lead readers directly to purchase stolen goods.

Then they'd have to spend time cutting out stuff that might spoil it, build around areas you aren't meant to get to and bug test and actually support it. Then have people data mine it and release secrets. I understand why they don't.

The Goron in the room is this: Why go through all this trouble to break the law?What a retarded question. Put them in a situation where it wasn't against the law to nab a copy of the demo, and they still would have done it. Law isn't even a part of the equation.

Of course law is part of the equation. It's almost all of the equation, in fact. If Nintendo were giving away copies of the demo freely to attendees at the show this would a) have been an entirely pointless exercise to attempt and b) not have been news.

I hope you realise the difference between trying to obtain an illegal copy of a demo that the public was not meant to get a copy of, and obtaining a copy of a demo that are just freely being handed out. If Nintendo were giving away copies of the demo, none of this would have been necessary. He could have just approached the booth and been given one, which would not have been remarkable enough to report on because just about everyone at the show would have obtained a copy too.

I was pretty sure the Wii U system update that release a few weeks ago actually broke the use of mods like the one this guy was allegedly trying to use...unless the mod authors had rewritten it since then, which is entirely possible.

(Bit late to the party, but...) Given the time constraints they deal with for these E3 demos, I would expect that they *wouldn't* have the latest firmware. That sort of thing introduces variables that developers in a crunch just don't need. Given that they had full control over the devices they were going to run on anyway, they probably fixed on the firmware version months ago.

It's a bit of a vicious cycle though... Nintendo are secretive and distant, so fans try their hardest to figure out / calculate / steal any new updates or tidbits (or demos), which makes Nintendo even more secretive and distant, which makes...

units could have been Kiosk units and not a dev unit, two very different things.
someone needs to google the key combo and find a unit in Store
I also imagine kiosk unit are much cheaper and easier to setup then Devs, with the number nintendo had it makes sense